security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,518 Commits 1 Branch 0 Tags
0f6ded452b6c75a9f3dbdcafeba796b776faaf72
Commit Graph

1518 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Samirbous 0f6ded452b [New RTA] Endpoint Rules (#2788) 
* [New RTA] Endpoint Rules

Suspicious Access to LSA Secrets Registry
Security Account Manager (SAM) Registry Access
Privilege Escalation via EXTENDED STARTUPINFO
Potential Privilege Escalation via Token Impersonation
Suspicious Impersonation as Trusted Installer
NTDLL Loaded from an Unusual Path
Sensitive File Access - Unattended Panther
Potential Discovery of Windows Credential Manager Store
Potential Discovery of DPAPI Master Keys
Potential Process Creation via ShellCode

* Update evasion_ntdll_from_unusual_path.py

* Update credaccess_reg_query_privesc_token_manip.py

* Create shellcode_load_ws2_32_unbacked.py

* Update shellcode_load_ws2_32_unbacked.py

* fix import

* Update credaccess_reg_query_privesc_token_manip.py

* Update shellcode_load_ws2_32_unbacked.py

* Update shellcode_load_ws2_32_unbacked.py

* Update shellcode_load_ws2_32_unbacked.py

* Update shellcode_load_ws2_32_unbacked.py

* Update shellcode_winexec_calc.py

* DLL Side Loading via a Copied Microsoft Executable

* Update sideload_msbin_faultrep.py

* DLL SideLoad via a Microsoft Signed Binary

* Update sideload_msbin_faultrep.py

* C2 via ISO file

* ++

* persistence from ISO

* Update exec_persistence_from_iso.py

* replaced win32con with actual static values

* Update sensitive_file_access.py

* Update credaccess_reg_query_privesc_token_manip.py

* Update ExecFromISOFile.ps1

* Suspicious ImageLoad from an ISO Mounted Device

* Update execution_iso_dll_rundll32.py

* Update c2_dns_from_iso.py

* Update shellcode_load_ws2_32_unbacked.py

* Update shellcode_load_ws2_32_unbacked.py

* Update impersonate_trusted_installer.py

* Library Loaded via a Callback Function

* Update evasion_loadlib_via_callback.py

* ++

* added ntds.dit access

* Security Account Manager (SAM) File Access

* Update sensitive_file_access.py

* Update sensitive_file_access.py

* Update sensitive_file_access.py

* Suspicious Execution via DotNet Remoting

* Update evasion_addinproc_certoc.py

* Update evasion_addinproc_certoc_odbc.py

* Update evasion_addinproc_certoc_odbc_gfxdwn.py

* Update evasion_addinproc_certoc_odbc_gfxdwn.py

* ++

* Update evasion_unhook_ldrloaddll.py

* added ETW and AMSI patching

* Update evasion_oversized_dll_load.py

* Update sensitive_file_access.py

added technique ids

* Update c2_dns_from_iso.py

fixed endpoint rule.ids array

* moved getppid to common.py

* moved impersonate_system to common

* moved inject to common.py

* Update credaccess_sam_from_vss.py

* Update evasion_addinproc_certoc_odbc_gfxdwn.py

* Update evasion_loadlib_via_callback.py

* Update evasion_oversized_dll_load.py

* Update evasion_patch_etw_amsi.py

* Update execution_iso_dll_sideload.py

* Update evasion_unhook_ldrloaddll.py

* Update exec_persistence_from_iso.py

* Update execution_iso_dll_rundll32.py

* Update sensitive_file_access.py

* Update shellcode_load_ws2_32_unbacked.py

* ++

* Update rta/c2_dns_from_iso.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rta/common.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rta/common.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rta/credaccess_reg_query_privesc_token_manip.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rta/credaccess_sam_from_vss.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rta/common.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rta/credaccess_sam_from_vss.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update shellcode_winexec_calc.py

* Update shellcode_load_ws2_32_unbacked.py

* Update c2_dns_from_iso.py

* Update evasion_oversized_dll_load.py

* Update rta/credaccess_sam_from_vss.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update evasion_oversized_dll_load.py

* Update rta/credaccess_sam_from_vss.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update credaccess_sam_from_vss.py

* Update c2_dns_from_iso.py

* ++

* ++

* ++

* Update impersonate_trusted_installer.py

* Update evasion_patch_etw_amsi.py

* Update credaccess_reg_query_privesc_token_manip.py

* ++

* Update evasion_ntdll_from_unusual_path.py

* Update evasion_oversized_dll_load.py

* ++

* Update common.py

* Update ExecFromISOFile.ps1

* Update evasion_ntdll_from_unusual_path.py

* add cpp source files

* Update rta/common.py

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

* Update rta/src/LoadLib-Callback64.cpp

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

* Update rta/src/rta_unhook_ldrload.cpp

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

* Update rta/impersonate_trusted_installer.py

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-23 16:58:30 +01:00
eric-forte-elastic aaa4ce2ea0 [BUG] test_all_rule_queries_optimized does not run on rules (#2823) 
* Fixed kql -> kuery in test_all_rule_queries_opt...

* all queries optimized

* manually reconciled all rules that failed due to toml escaped chars

* merge rules from main

* Rules needing optimization

* Fix optimized note

* fix another note

* another note fix

* fixing whitespace

* Updated for readability

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-23 10:58:31 -04:00
Terrance DeJesus d829b145ef [Bug] Fix Tag Navigator Generation (#2875) 
* bug fix for tag navigator generation

* addressing flake errors

* added unit test to ensure prefix exists

* updated unit test case sensitivity

* moved expected tags to definitions.py

* removed expected prefixes

* revert downloadable updates JSON file
 2023-06-23 10:44:55 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Terrance DeJesus 7d758fdacd [New Rule] Potential Malicious File Downloaded from Google Drive (#2862) 
* new rule for malicious files downloaded from Google Drive

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

* removed unecessary tags

* removed extra space

* updated false positives

* fix unit testing failure

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* removed note field

* added cmd.exe

* updated updated_dated

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* removed LoLBins to capture unknown binaries involved

* removed code signature requirements

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-06-22 14:10:14 -04:00
Ruben Groenewoud 7c5f17e30c [New Rules] User / Group Creation & Privileged Group Addition (#2546) 
* [New Rules] user/group creation

* Update rules/linux/persistence_linux_group_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added backdoor user account

* added host.os.type == linux for unit testing fix

* unit testing fixes

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Added OSQuery to Investigation Guides

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* removed investigation guides to add in future PR

* Fixed some issues with the rules

* fixed typo

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_group_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-22 15:15:48 +02:00
Ruben Groenewoud 71186c8788 [Rule Tuning] Potential Persistence Through Run Control Detected (#2857) 
* [Rule Tuning] changed rule type to new_terms

* Updated min stack comment

* Update persistence_rc_script_creation.toml

* Changed description, removed file.path from new_terms field because it is not necessary

* added host.id to new terms field and bumped up min stack
 2023-06-22 13:39:36 +02:00
Ruben Groenewoud 7d64dc2a87 [Rule tunings / New Rule] Kernel Unload and Enumeration (#2838) 
* [Rule Tunings] Kernel Module Enumeration / Removal

* [Rule Tunings] Kernel Module Enumeration and Removal

* Deleted copy of wrong file

* EQL Conversion and made the rule more resilient

* Converted rules to EQL and made rules more resilient

* Removed unwanted rule from PR

* fixed unit tests

* fixed unit testing, removed endgame support

* Added a rule to detect kernel module enum via proc

* Did some additional tuning, 0 hits in RedSector now
 2023-06-22 10:11:52 +02:00
Terrance DeJesus 082e92c95c [Rule Tuning] Adjust Okta ThreatInsight Rule to Promotion (#2854) 
* adding new rule for Okta ThreatInsight threat suspected

* added promotion tag

* removed new rule and tuned existing

* added promotion tag

* Update rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-21 09:47:27 -04:00
eric-forte-elastic 6449cecd08 [FR] Add support for building block rules (BBR) (#2822) 
* added test bbr

* initial implementation

* Added Unit test and exempted bbr from integrations

* fixed linting

* Add schema validation to building block rules

* add separate error messages

* fixed linting

* Add testing bbr validation

* fixed linting

* Add default values

* fixed linting

* added defaults

* fixed linting

* cleaned up test rule

* removed .gitkeep

* read .gitkeep

* Switch to using validates_schema

* addressing some linting

* fixed linting

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* add env variable check

* fix skip function

* updated name

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Add bbr validation unit test

* Clean up comments

* fix linting

* Move convert time to utils

* Moved to rules_building_block

* Add check for only bbr in bbr dir

* fix linting

* additional linting fix

* Changed to bbr rule loader

* fixed bbr default

* Updated error messages and README

* fixed more linting

* Updating root level README

* Fixed convert_time_span calls

* fixed typo in unit test logic and updated txt

* fixed error message

* updated comment for clarity

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Updated validation methods for clarity

* fix doctring location

* Fixed typo

* updated error messages.

* removed excess whitespace

* Add per rule bypass

* Add single rule bypass

* Split unit tests

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-20 09:00:30 -04:00
Ruben Groenewoud dc05f1d8f3 [New Rule] Sus Network Activity from Unknown Executable (#2856) 
* [New Rule] Sus Network Activity from Unknown Executable

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml

* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* added endgame support, changed min stack comment

* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-14 23:27:29 +02:00
Ruben Groenewoud b4a218ed1c [New Rule] Shared Object Created (#2848) 
* [New Rule] Shared Object Created or Changed

* Removed sub technique

* Update rules/linux/persistence_shared_object_creation.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* changed description slightly

* Update rules/linux/persistence_shared_object_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_shared_object_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* added T1574.006

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-13 22:51:07 +02:00
github-actions[bot] 01334a28bd Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 (#2853) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-13 09:48:24 -04:00
Ruben Groenewoud 4f9f28c370 [New Rules] Cron Job / Systemd Service Creation (#2847) 
* [New Rules] Cron Job/Systemd Service Creation

* Added execution to tags

* Added additional EndGame Support

* Update rules/linux/persistence_cron_job_creation.toml

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

* Update rules/linux/persistence_systemd_service_creation.toml

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>
 2023-06-13 09:44:44 +02:00
Ruben Groenewoud 644d2f5b26 [New Rule] New Systemd Timer Created (#2601) 
* [New Rule] New Systemd Timer Created

* improve query runtime performance

* added process.name entries for alert reduction

* attempt to fix gh unit testing failure

* added host.os.type==linux to fix unit test error

* Added OSQuery to investigation guides

* added additional process names

* removed investigation guides to add in future PR

* removed investigation guide tag

* Changed rule to new_terms rule to reduce FPs

* fixed query

* formatting fix

* Learnt another thing about KQL.. Formatting fix.

* unit test fix

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>
 2023-06-13 09:15:47 +02:00
eric-forte-elastic 450e84ffa2 [FR] Add host family to data path (#2839) 
* add rounding logic

* cleaned up event_sort

* fix linting

* Added host_family to ndjson file path

* linting fix

* Added ability to manually supply host_os_family

* fixed linting

* Update detection_rules/utils.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/utils.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* linting updates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-12 16:03:33 -04:00
Eric 1e404cde34 [Suspicious PowerShell Engine ImageLoad] Add Ssms.exe to query exceptions (#2831) 
* Add Ssms.exe to query exceptions

* Changed updated_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-12 16:15:47 -03:00
Terrance DeJesus 8db42da040 Limit backports to 8.3+ (#2450) 
* Drop Rule Support for Outdated Stack Versions Less Than 8.3

* changed version lock key assignment logic and updated version lock file

* added comment to stack-schema-map file

* changed version lock key assignment logic to use custom Version method)

* Update detection_rules/devtools.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* reverting version lock file to original

* updated version lock from adjusted comparison logic of stack versions

* updated logic in devtools; removed < 8.3.0 in version lock file

* trimmed lock version before merge

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-12 12:51:40 -04:00
Jonhnathan 665bf03ec0 [Rule Tuning] Remote System Discovery Commands (#2834) 2023-06-07 14:24:53 -03:00
Eric 601788c4df Added Outlook.exe as a query exception (#2814) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-06-06 17:47:25 +01:00
Eric 221e756b48 Adjusted exceptions to rule for Nessus (#2774) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-06 17:39:34 +01:00
github-actions[bot] cc377b6634 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 (#2824) 
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-05-31 12:42:12 -04:00
Terrance DeJesus e0ceb5a434 adjust integrations file; add option for single integration update (#2816) 2023-05-31 11:00:58 -04:00
Jonhnathan 05aac4f371 [Security Content] Add Investigation Guides to Windows rules (#2678) 
* [Security Content] Add Investigation Guides to Windows rules

* Update privilege_escalation_service_control_spawned_script_int.toml

* Update execution_reverse_shell_via_named_pipe.toml

* Apply suggestions from code review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update execution_command_prompt_connecting_to_the_internet.toml

---------

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-05-26 10:25:41 -03:00
Jonhnathan 0d5e25e896 [Rule Tuning] Interactive Terminal Spawned via Python (#2781) 
* [Rule Tuning] Interactive Terminal Spawned via Python

* Update execution_python_tty_shell.toml

* Update execution_python_tty_shell.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-05-26 10:19:35 -03:00
Ruben Groenewoud 54c5c17aa3 [Rule Tuning & Addition] Potential Linux SSH Brute Force (#2583) 
* [Rule tuning & Addition] SSH Bruteforce

* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* fixed rule_id change, added additional cidr match

* added host.os.type==linux

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Formatting style change

* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Added related rules suggestion

* Added related rule suggestion

* added additional internal ip ranges

* added additional internal ip ranges

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-05-25 12:00:44 +02:00
Terrance DeJesus 8766734c89 [Bug] Adding additional dependency typing-extensions (#2812) 
* added additional dependency

* addding pip cache purge
 2023-05-24 10:23:35 -04:00
Terrance DeJesus e9baebc2bc bug fix for misspelled variable call (#2800) 2023-05-18 12:45:13 -04:00
Terrance DeJesus 7f249e6cc4 [Security Content] Add Google Workspace Investigation Guides (#2540) 
* adding google workspace investigation guides

* updated 'Google Workspace Custom Gmail Route Created or Modified' guide

* updated 'Google Workspace Custom Gmail Route Created or Modified' guide

* updated 'Application Removed from Blocklist in Google Workspace'

* updated 'Domain Added to Google Workspace Trusted Domains'

* updated 'Google Workspace Bitlocker Setting Disabled'

* updated 'Google Workspace Admin Role Deletion'

* updated 'Application Added to Google Workspace Domain'

* updated 'Google Workspace Admin Role Assigned to a User'

* updated 'Google Workspace Role Modified'

* updated 'Google Workspace Custom Admin Role Created'

* updated 'Google Workspace API Access Granted via Domain-Wide Delegation of Authority'

* updated 'Google Workspace Password Policy Modified'

* updated 'Google Workspace Restrictions for Google Marketplace Modified to Allow Any App'

* updated 'Google Workspace User Organizational Unit Changed'

* reverted 'Google Workspace User Group Access Modified to Allow External Access'

* removed new lines

* added 'Investigation Guide' tags

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* removed duplicate file

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
 2023-05-18 10:16:20 -04:00
github-actions[bot] 836c803e9d Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 (#2797) 
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8

* kicking off testing

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-05-17 12:16:54 -04:00
Jonhnathan 0b3f603179 [Rule Tuning] Adding Hidden File Attribute via Attrib (#2726) 
* [New Rule] Adding Hidden File Attribute via Attrib

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-17 10:23:11 -03:00
Jonhnathan 9f734c2c1f [Rule Tuning] System Information Discovery via Windows Command Shell (#2741) 2023-05-17 09:58:21 -03:00
Isai 0eed8ce27f [New Rule] SSH Process Launched From Inside A Container (#2794) 
* [New Rule] SSH Process Launched From Inside A Container

new toml rule file

* changed "not" query

changed query to !=

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-05-16 17:32:58 -04:00
Isai b0838cc2cb [New Rule] SSH Connection Established Inside A Running Container (#2793) 
* [New Rule] SSH Connection Established Inside A Running Container

new rule toml

* Update initial_access_ssh_connection_established_inside_a_container.toml

moved order of tactics

* Apply suggestions from code review

updated spacing based on code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-16 16:56:52 -04:00
Isai 515d393828 [New Rule] SSH Authorized Keys File Modified Inside a Container (#2792) 
* [New Rule] SSH Authorized Keys File Modified Inside a Container

new rule toml

* toml file name change

changed duplicate toml file name

* Update persistence_ssh_authorized_keys_modification_inside_a_container.toml

added time intervals

* removed redundant event.type

removed event.type fields

* added back event.type and removed event.action per reviewer suggestion

removed redundant event.action fields
 2023-05-16 16:30:17 -04:00
Isai 648dd8b3ed [New Rule] Interactive Exec Command Launched Against A Running Container (#2791) 
* [New Rule] Interactive Exec Command Launched Against A Running Container

new rule toml

* Update execution_interactive_exec_to_container.toml

updated reference links

* Update execution_interactive_exec_to_container.toml

fixed the comments

* Update execution_interactive_exec_to_container.toml

* Update execution_interactive_exec_to_container.toml

removed process.session_leader.same_as_process

* Update execution_interactive_exec_to_container.toml

added time intervals

* Apply suggestions from code review

updated spacing

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-16 16:09:10 -04:00
Isai 9e3dc112b3 [New Rule] Sensitive Files Compression Inside A Container (#2790) 
new rule toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-05-16 15:49:42 -04:00
Isai d8e9874d54 [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container (#2789) 
* [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container

new rule toml

* description update

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* added locate and mlocate based on review suggestion

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-16 15:29:54 -04:00
Isai 73f87ad7e6 [New Rule] Suspicious Network Tool Launched Inside A Container (#2759) 
* [New Rule] Suspicious Network Tool Launched Inside A Container

new rule

* Apply suggestions from code review

removed unused fields, adjust from field for readability

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* update based on reviews

added additional tools, added false positives section, raised risk score

* Update discovery_suspicious_network_tool_launched_inside_a_container.toml

adjusted tags

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-05-16 15:21:42 -04:00
Isai 5fd155849e [New Rule] File Made Executable via Chmod Inside A Container (#2757) 
* [New Rule] File Made Executable via Chmod Inside A Container

new rule

* edit threat matrix urls

add final / to reference urls

* Apply suggestions from code review

removed unused fields, adjust from field for readability

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

added Defense Evasion tag

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

adjusted tags

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-05-16 15:15:49 -04:00
Isai 4c996490ec [New Rule] Netcat Listener Established Inside A Container (#2756) 
* [New Rule] Netcat Listener Established Inside A Container

new rule toml

* remove references

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* remove false_positives

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* adjust from field from s to m for readability

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update execution_netcat_listener_established_inside_a_container.toml

updated query, updated risk score, expanded explanation for 2nd part of the query where process args is used to search for target executables

* optimized query

optimized query to deduplicate fields based on review feedback

* Update execution_netcat_listener_established_inside_a_container.toml

updated query comment

* Update execution_netcat_listener_established_inside_a_container.toml

added false positive section

* Update execution_netcat_listener_established_inside_a_container.toml

adjusted tags

* removed the != end query parameter

removed the exclusion of end events for this to account for short-lived netcat listener processes

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-05-16 15:08:20 -04:00
Isai e954b6d7eb [New Rule] Interactive Shell Spawned From Inside a Container (#2752) 
* Create execution_interactive_shell_spawned_from_inside_a_container.toml

new rule

* Update execution_interactive_shell_spawned_from_inside_a_container.toml

edited threat matrix

* Update execution_interactive_shell_spawned_from_inside_a_container.toml

changed boolean in query from string type

* Update execution_interactive_shell_spawned_from_inside_a_container.toml

added timestamp_override field

* Apply suggestions from code review

readability from field change, removed references field

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Apply suggestions from code review

index spacing, rule name, comment change

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update execution_interactive_shell_spawned_from_inside_a_container.toml

updated description, updated query to utilize container.id field to distinguish container vs linux rule, remove unneccesary comments and simplify the query.

* Update rule query

updated rule query to use process.executable and an or field for event.action

* Update execution_interactive_shell_spawned_from_inside_a_container.toml

adjusted tags

* changed "not" in query

event.action != end based on review suggestion

* spacing around comments

* removed ending wildcard causing FPs

removed ending wildcard for process.args /sh as it's causing FPs and will risk being too noisy

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-05-16 15:02:20 -04:00
Isai ee86144565 [New Rule] Container Management Binary Run Inside A Container (#2754) 
* [New Rule] Container Management Binary Run Inside A Container

new rule

* Apply suggestions from code review

removed unused fields, adjust from field for readability

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Apply suggestions from code review

description change, name change, index spacing

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update false_positives and query

added false positives section and updated query with container.id field

* Update execution_container_management_binary_launched_inside_a_container.toml

adjusted tags

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-05-16 14:41:27 -04:00
Terrance DeJesus 24974108f3 updated ATT&CK 13.0 to 13.1 (#2795) 2023-05-16 11:01:52 -04:00
Ruben Groenewoud 9ebffb44ff [New Rules] Ransomware Encryption & Note Creation (#2652) 
* [New Rules] Ransomware Encryption & Note Creation

* changed description

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-16 11:30:00 +02:00
Jonhnathan d017156454 [Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761) 
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update test_all_rules.py

* Update test_all_rules.py

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-05-15 20:31:59 -03:00
Mika Ayenson ea9bfc3e2b Update trigger-react.yml (#2779) 2023-05-05 13:21:54 -04:00
shashank-elastic 1293365a7f Rule to detect Potential Linux Credential Dumping via Proc Filesystem (#2751) 2023-05-05 22:23:15 +05:30
Ruben Groenewoud 26258f806a [New Rules] Persistence through MOTD (#2608) 
* [New Rules] Persistence through MOTD

* fixed unit error test by adding timestamp_override

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added host.os.type == "linux"

* removed ability to bypass chmod by using e.g. 700

* Added endgame support, changed query

* Changed query

* updated risk_score

* added OSQuery to investigation guides

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* removed investigation guides to add in future PR

* removed investigation guide tag

* Changed rule to new terms rule for FP reduction

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-05 10:29:15 +02:00
Ruben Groenewoud 1aea1ee9bb [New rule] Sus File Creation in init.d for Persistence Detected (#2653) 
* [New Rule] Init.d File and Service Creation

* Changed rule name

* [New Rule] Sus File Creation init.d Persistence

* Added Endgame compatibility

* added touch

* Added OSQuery to investigation guide

* added additional processes

* removed investigation guide to add in sep PR

* changed rule name

* removed investigation guide tag

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update persistence_init_d_file_creation.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-05 09:54:42 +02:00